PHP 4.4.4 Release Announcement

This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.

This release provides the following security fixes:

* Added missing safe_mode/open_basedir checks inside the error_log(),
  file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.

3 files changed, 6 insertions, 90 deletions

diff --git a/www/php4/Makefile.common b/www/php4/Makefile.common
index cc2c400fb69..9b707bfc4c9 100644
--- a/www/php4/Makefile.common
+++ b/www/php4/Makefile.common
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.53 2006/08/10 23:01:40 adrianp Exp $
+# $NetBSD: Makefile.common,v 1.54 2006/08/20 09:44:59 adrianp Exp $
 
 DISTNAME?=		php-${PHP_DIST_VERS}
 CATEGORIES+=		www php4
@@ -18,7 +18,7 @@ HOMEPAGE?=		http://www.php.net/
 # PHP_DIST_VERS		version number on the php distfile
 # PHP_BASE_VERS		pkgsrc-mangled version number (convert pl -> .)
 #
-PHP_DIST_VERS=		4.4.3
+PHP_DIST_VERS=		4.4.4
 PHP_BASE_VERS=		${PHP_DIST_VERS}
 
 DISTFILES?=		${PHP_DISTFILE}
diff --git a/www/php4/distinfo b/www/php4/distinfo
index e6eb2a43a11..6ba26f153f7 100644
--- a/www/php4/distinfo
+++ b/www/php4/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.56 2006/08/10 23:01:40 adrianp Exp $
+$NetBSD: distinfo,v 1.57 2006/08/20 09:44:59 adrianp Exp $
 
-SHA1 (php-4.4.3.tar.bz2) = 42aec56fec03c13366c0b0aac13169138814a4b5
-RMD160 (php-4.4.3.tar.bz2) = 36c91930af44e8a1ed59eb159e6131ae8f0c77f0
-Size (php-4.4.3.tar.bz2) = 4461353 bytes
+SHA1 (php-4.4.4.tar.bz2) = 05d62910fb5734344db87f0a17b1e8e001b26b05
+RMD160 (php-4.4.4.tar.bz2) = 02fd7d5135a9e5ce11d905a4a474a5d42b8441f3
+Size (php-4.4.4.tar.bz2) = 4478698 bytes
 SHA1 (patch-aa) = feb064407950d0fc732b7240e65cac84420d2407
 SHA1 (patch-ab) = 38a4bcd0d65b26c5d8e54e22b552f60831188469
 SHA1 (patch-ad) = 9ca5d2f59bfeea77a98cd0e727546d11669114cd
@@ -15,4 +15,3 @@ SHA1 (patch-al) = 28ad9006b387e2b9984ad49beea21c9d46e63b46
 SHA1 (patch-ao) = 0fd4becf023451ac8cb185df354830efc86c1344
 SHA1 (patch-ap) = 2f852abd1e9d0f089add18b2eade2831253ad00e
 SHA1 (patch-at) = f8b3aebd61fe2d5b5a994e1d973424a1ed397f63
-SHA1 (patch-aw) = f8e2f36a4d9bb4a60d255127ac5984c33ea74841
diff --git a/www/php4/patches/patch-aw b/www/php4/patches/patch-aw
deleted file mode 100644
index 10ea46cce89..00000000000
--- a/www/php4/patches/patch-aw
+++ /dev/null
@@ -1,83 +0,0 @@
---- ext/standard/scanf.c.orig	2006-01-01 13:46:58.000000000 +0000
-+++ ext/standard/scanf.c	2006-08-10 23:00:19.000000000 +0100
-@@ -732,7 +732,7 @@
-                 if (*end == '$') {
-                     format = end+1;
-                     ch = format++;
--                    objIndex = varStart + value;
-+                    objIndex = varStart + value - 1;
-                 }
-          }
- 
-@@ -762,8 +762,10 @@
-         switch (*ch) {
-             case 'n':
-                 if (!(flags & SCAN_SUPPRESS)) {
--                    if (numVars) {
--						current = args[objIndex++];
-+                    if (numVars && objIndex >= argCount) {
-+                        break;
-+                    } else if (numVars) {
-+                        current = args[objIndex++];
-                         zval_dtor( *current );
-                         ZVAL_LONG( *current, (long)(string - baseString) );
-                     } else {
-@@ -883,8 +885,10 @@
-                 }
-             }
-             if (!(flags & SCAN_SUPPRESS)) {
--                if (numVars) {
--                    current = args[objIndex++];
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-+					current = args[objIndex++];
- 					zval_dtor( *current );
- 					ZVAL_STRINGL( *current, string, end-string, 1);
-                 } else {
-@@ -922,7 +926,9 @@
-                 goto done;
-             }
-             if (!(flags & SCAN_SUPPRESS)) {
--                if (numVars) {
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-                     current = args[objIndex++];
-                     zval_dtor( *current );
-                     ZVAL_STRINGL( *current, string, end-string, 1);
-@@ -1079,8 +1085,10 @@
- 		    value = (int) (*fn)(buf, NULL, base);
- 		    if ((flags & SCAN_UNSIGNED) && (value < 0)) {
-                 sprintf(buf, "%u", value); /* INTL: ISO digit */
--                if (numVars) {
--                  /* change passed value type to string */
-+                if (numVars && objIndex >= argCount) {
-+                   break;
-+                } else if (numVars) {
-+                   /* change passed value type to string */
-                    current = args[objIndex++];
-                    convert_to_string( *current );
-                    ZVAL_STRING( *current, buf, 1 );
-@@ -1088,7 +1096,9 @@
-                     add_index_string(*return_value, objIndex++, buf, 1);
-                 }
-             } else {
--                if (numVars) {
-+                if (numVars && objIndex >= argCount) {
-+                    break;
-+                } else if (numVars) {
-                     current = args[objIndex++];
-                     convert_to_long( *current );
-                     Z_LVAL(**current) = value;
-@@ -1196,7 +1206,9 @@
- 		    double dvalue;
- 		    *end = '\0';
- 		    dvalue = zend_strtod(buf, NULL);
--            if (numVars) {
-+            if (numVars && objIndex >= argCount) {
-+                break;
-+            } else if (numVars) {
-                 current = args[objIndex++];
-                 convert_to_double( *current );
-                 Z_DVAL_PP( current ) = dvalue;